Hosting provider allocation advice

[Wouter de Jong]

Hi Bernhard,

> -----Original Message-----
> From: Bernhard Schmidt [mailto:berni at birkenwald.de]
> Sent: Thursday, October 15, 2009 20:04
> To: Wouter de Jong
> Cc: ipv6-ops at lists.cluenet.de
> Subject: Re: Hosting provider allocation advice

> As Gert already said, "unshare that VLAN".
> 
> If this is not possible, I (probably not the only one) thought of the
> following approach that at least one company is using already:
> 
> a) do not use global addresses on the transport VLAN at all
> b) assign a /64 or /48 per customer, route it to their link-local
> address
> 
> customer configuration won't change, they can still statically
> configure
> their own prefix on their ethernet port and learn the default gateway
> from RA (or set a static route, but that needs a link-local next-hop
as
> well).
> 
> c) (optional) set a static neighbor entry for the LL addr to their MAC
> d) (optional) set port security to only allow the MAC on their port
> e) (optional) enable private VLAN

This sounds reasonable at first look :)

Our current equipment (for the shared vlan/subnet part) can handle 250
IPv6 interfaces, 
so that leaves about 240 customers vlans (which is also about the limit
for our access-switches).
We currently are at ~ 150.
It can also handle only 2000 IPv6 static routes, but that should be
enough for now.

What holds me a bit back though is the use of link-local.
This would indeed mean that our customers need to manually specify the
link-local address 
of our router, but if we'd swap interfaces, our link-local would change.
So RA comes indeed into the picture.
However.... just as with DHCP, you'd need to ensure that only _our_
equipment can send RA ?
This can't be enforced I think, without heavy support in your
access-switches ?
So if a server receives 20 RA's, which one does it pick ?

Also, we don't have support for private vlans in our access-switches at
the moment.

(Yes, we probably need new equipment :>)

<..>


Best regards,

Wouter